{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6250", "assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630", "state": "PUBLISHED", "assignerShortName": "TPLink", "dateReserved": "2026-04-13T18:44:25.412Z", "datePublished": "2026-06-11T20:46:09.672Z", "dateUpdated": "2026-06-12T15:41:58.140Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "f23511db-6c3e-4e32-a477-6aa17d310630", "shortName": "TPLink", "dateUpdated": "2026-06-11T20:46:09.672Z"}, "title": "Authenticated Format String Injection on TP-Link Tapo C110", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-134", "description": "CWE-134 Use of Externally-Controlled format string", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-135", "descriptions": [{"lang": "en", "value": "CAPEC-135 Format String Injection"}]}], "affected": [{"vendor": "TP-Link Systems Inc.", "product": "Tapo C110 v2", "versions": [{"status": "affected", "version": "0", "lessThan": "1.5.4 Build 260428", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "An\nauthenticated format string vulnerability exists in the ONVIF service of Tapo\nC110 v2 due to improper handling of user-controlled input.\u00a0 Externally controlled data is interpreted as\na format string, which can be used to manipulate stack memory, including\ncontrol flow data such as return addresses.\n\n\n\n\n\nA remote\nauthenticated attacker may redirect execution flow to existing internal\nfunctions, triggering an unauthorized factory reset, leading to loss of\nconfiguration, deletion of stored credentials and service disruption.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>An\nauthenticated format string vulnerability exists in the ONVIF service of Tapo\nC110 v2 due to improper handling of user-controlled input.&nbsp; Externally controlled data is interpreted as\na format string, which can be used to manipulate stack memory, including\ncontrol flow data such as return addresses.</p>\n\n<p>A remote\nauthenticated attacker may redirect execution flow to existing internal\nfunctions, triggering an unauthorized factory reset, leading to loss of\nconfiguration, deletion of stored credentials and service disruption.</p>"}]}], "references": [{"url": "https://www.tp-link.com/us/support/download/tapo-c110/v2/#Firmware-Release-Notes", "tags": ["patch"]}, {"url": "https://www.tp-link.com/en/support/download/tapo-c110/v2/#Firmware-Release-Notes", "tags": ["patch"]}, {"url": "https://www.tp-link.com/kr/support/download/tapo-c110/v2/#Firmware-Release-Notes", "tags": ["patch"]}, {"url": "https://www.tp-link.com/us/support/faq/5128/", "tags": ["vendor-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "ADJACENT", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 7, "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N"}}], "credits": [{"lang": "en", "value": "Juhyeop\u00a0Lee(@juhye0p) of STEALIEN", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.2"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-12T15:41:39.052599Z", "id": "CVE-2026-6250", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-12T15:41:58.140Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-6250", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-12T15:41:39.052599Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-12T15:41:54.638Z"}}], "cna": {"title": "Authenticated Format String Injection on TP-Link Tapo C110", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Juhyeop\u00a0Lee(@juhye0p) of STEALIEN"}], "impacts": [{"capecId": "CAPEC-135", "descriptions": [{"lang": "en", "value": "CAPEC-135 Format String Injection"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7, "Automatable": "NOT_DEFINED", "attackVector": "ADJACENT", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "TP-Link Systems Inc.", "product": "Tapo C110 v2", "versions": [{"status": "affected", "version": "0", "lessThan": "1.5.4 Build 260428", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.tp-link.com/us/support/download/tapo-c110/v2/#Firmware-Release-Notes", "tags": ["patch"]}, {"url": "https://www.tp-link.com/en/support/download/tapo-c110/v2/#Firmware-Release-Notes", "tags": ["patch"]}, {"url": "https://www.tp-link.com/kr/support/download/tapo-c110/v2/#Firmware-Release-Notes", "tags": ["patch"]}, {"url": "https://www.tp-link.com/us/support/faq/5128/", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 1.0.2"}, "descriptions": [{"lang": "en", "value": "An\nauthenticated format string vulnerability exists in the ONVIF service of Tapo\nC110 v2 due to improper handling of user-controlled input.\u00a0 Externally controlled data is interpreted as\na format string, which can be used to manipulate stack memory, including\ncontrol flow data such as return addresses.\n\n\n\n\n\nA remote\nauthenticated attacker may redirect execution flow to existing internal\nfunctions, triggering an unauthorized factory reset, leading to loss of\nconfiguration, deletion of stored credentials and service disruption.", "supportingMedia": [{"type": "text/html", "value": "<p>An\nauthenticated format string vulnerability exists in the ONVIF service of Tapo\nC110 v2 due to improper handling of user-controlled input.&nbsp; Externally controlled data is interpreted as\na format string, which can be used to manipulate stack memory, including\ncontrol flow data such as return addresses.</p>\n\n<p>A remote\nauthenticated attacker may redirect execution flow to existing internal\nfunctions, triggering an unauthorized factory reset, leading to loss of\nconfiguration, deletion of stored credentials and service disruption.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-134", "description": "CWE-134 Use of Externally-Controlled format string"}]}], "providerMetadata": {"orgId": "f23511db-6c3e-4e32-a477-6aa17d310630", "shortName": "TPLink", "dateUpdated": "2026-06-11T20:46:09.672Z"}}}, "cveMetadata": {"cveId": "CVE-2026-6250", "state": "PUBLISHED", "dateUpdated": "2026-06-12T15:41:58.140Z", "dateReserved": "2026-04-13T18:44:25.412Z", "assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630", "datePublished": "2026-06-11T20:46:09.672Z", "assignerShortName": "TPLink"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:tp-link:tapo_c110_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "08C9357E-A434-4B3F-97F9-2E51A33B60C4", "versionEndExcluding": "1.5.4", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:tp-link:tapo_c110:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "4559D5F3-41A8-4D2D-9956-5B721709673F", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An\nauthenticated format string vulnerability exists in the ONVIF service of Tapo\nC110 v2 due to improper handling of user-controlled input.\u00a0 Externally controlled data is interpreted as\na format string, which can be used to manipulate stack memory, including\ncontrol flow data such as return addresses.\n\n\n\n\n\nA remote\nauthenticated attacker may redirect execution flow to existing internal\nfunctions, triggering an unauthorized factory reset, leading to loss of\nconfiguration, deletion of stored credentials and service disruption."}], "id": "CVE-2026-6250", "lastModified": "2026-06-16T14:19:23.487", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "ADJACENT", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "f23511db-6c3e-4e32-a477-6aa17d310630", "type": "Secondary"}]}, "published": "2026-06-11T22:16:57.870", "references": [{"source": "f23511db-6c3e-4e32-a477-6aa17d310630", "tags": ["Release Notes"], "url": "https://www.tp-link.com/en/support/download/tapo-c110/v2/#Firmware-Release-Notes"}, {"source": "f23511db-6c3e-4e32-a477-6aa17d310630", "tags": ["Release Notes"], "url": "https://www.tp-link.com/kr/support/download/tapo-c110/v2/#Firmware-Release-Notes"}, {"source": "f23511db-6c3e-4e32-a477-6aa17d310630", "tags": ["Release Notes"], "url": "https://www.tp-link.com/us/support/download/tapo-c110/v2/#Firmware-Release-Notes"}, {"source": "f23511db-6c3e-4e32-a477-6aa17d310630", "tags": ["Vendor Advisory"], "url": "https://www.tp-link.com/us/support/faq/5128/"}], "sourceIdentifier": "f23511db-6c3e-4e32-a477-6aa17d310630", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-134"}], "source": "f23511db-6c3e-4e32-a477-6aa17d310630", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-134"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.5.4 Build 260428)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Tapo C110 v2", "source": "cna", "vendor": "TP-Link Systems Inc."}, "product": "tapo_c110", "vendor": "tp-link"}], "created": "2026-06-11T22:45:05.659129+00:00", "updated": "2026-06-12T20:21:33.350033+00:00", "vendors": ["tp-link", "tp-link$PRODUCT$tapo_c110"]}